gcleaner | 994761a2e3db4372321ab46019b71d82978abd12cd0df7fa43180653c2cc3f8f

Analysis

max time kernel
290s
max time network
226s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
13-06-2024 23:37

Target

994761a2e3db4372321ab46019b71d82978abd12cd0df7fa43180653c2cc3f8f.exe
Size

368KB
MD5

809a4cf6f057257df2b5e77e1a445168
SHA1

d98a51e61f1bd17c04eb876edcbf23d047280d18
SHA256

994761a2e3db4372321ab46019b71d82978abd12cd0df7fa43180653c2cc3f8f
SHA512

5ed052c64a95144931f5a5f53a878dc03868c18d7015e8c614ebcb8a5ec843597db93853a1eec3ab3dce60935e5a059c19199fe3a2dd743f550f2fc5781b0175
SSDEEP

6144:RPTPL+kk4F2edJZirYGNrAMegVuNylSkG1qb:RbPCkkm5kNrA8VuN1

Score

10^/10

gcleaner loader

Family

gcleaner

185.172.128.90

185.172.128.69

Attributes

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3772	3924	WerFault.exe	994761a2e3db4372321ab46019b71d82978abd12cd0df7fa43180653c2cc3f8f.exe
5096	3924	WerFault.exe	994761a2e3db4372321ab46019b71d82978abd12cd0df7fa43180653c2cc3f8f.exe
4648	3924	WerFault.exe	994761a2e3db4372321ab46019b71d82978abd12cd0df7fa43180653c2cc3f8f.exe
4632	3924	WerFault.exe	994761a2e3db4372321ab46019b71d82978abd12cd0df7fa43180653c2cc3f8f.exe
3916	3924	WerFault.exe	994761a2e3db4372321ab46019b71d82978abd12cd0df7fa43180653c2cc3f8f.exe
992	3924	WerFault.exe	994761a2e3db4372321ab46019b71d82978abd12cd0df7fa43180653c2cc3f8f.exe
4548	3924	WerFault.exe	994761a2e3db4372321ab46019b71d82978abd12cd0df7fa43180653c2cc3f8f.exe
220	3924	WerFault.exe	994761a2e3db4372321ab46019b71d82978abd12cd0df7fa43180653c2cc3f8f.exe

C:\Users\Admin\AppData\Local\Temp\994761a2e3db4372321ab46019b71d82978abd12cd0df7fa43180653c2cc3f8f.exe
"C:\Users\Admin\AppData\Local\Temp\994761a2e3db4372321ab46019b71d82978abd12cd0df7fa43180653c2cc3f8f.exe"
1⤵
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 764
2⤵
- Program crash
PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 816
2⤵
- Program crash
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 844
2⤵
- Program crash
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 952
2⤵
- Program crash
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 992
2⤵
- Program crash
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 1116
2⤵
- Program crash
PID:992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 1180
2⤵
- Program crash
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 1220
2⤵
- Program crash
PID:220

memory/3924-2-0x00000000023E0000-0x000000000240D000-memory.dmp

Filesize
180KB

Download
memory/3924-1-0x0000000002500000-0x0000000002600000-memory.dmp

Filesize
1024KB

Download
memory/3924-3-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3924-5-0x0000000000400000-0x0000000002378000-memory.dmp

Filesize
31.5MB

Download
memory/3924-8-0x00000000023E0000-0x000000000240D000-memory.dmp

Filesize
180KB

Download
memory/3924-7-0x0000000002500000-0x0000000002600000-memory.dmp

Filesize
1024KB

Download
memory/3924-9-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download